PRIVACY Forum Digest Sunday, 27 September 1998 Volume 07 : Issue 16
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
http://www.vortex.com
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by
the ACM (Association for Computing Machinery)
Committee on Computers and Public Policy,
"internetMCI" (a service of the Data Services Division
of MCI Telecommunications Corporation),
Cisco Systems, Inc., and Telos Systems.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
CONTENTS
A New Twist on Caller ID from Ameritech
(Lauren Weinstein; PRIVACY Forum Moderator)
Drivers' Licenses and Social Security Numbers Update
(Lauren Weinstein; PRIVACY Forum Moderator)
Netscape Privacy Update (Lauren Weinstein; PRIVACY Forum Moderator)
Surveillance Article in "The Information Society" (Gary Marx)
Huntington Bank Policies (David Lesher)
Cookies (David Kulp)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------
VOLUME 07, ISSUE 16
Quote for the day:
"Would you care to join me in watching the supernova?
It is a once in a lifetime experience."
-- Kai (Michael McManus)
"Super Nova: Tales From a Parallel Universe"
(Time Film und TV Produktion GmbH/Salter Street Films; 1997)
----------------------------------------------------------------------
Date: Fri, 25 Sep 98 12:24 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: A New Twist on Caller ID from Ameritech
Greetings. Ameritech is introducing a novel extra cost add-on for their
customers who already are subscribing to Calling Number ID (CNID). The
service, with the somewhat generic name of "Privacy Manager," appears to be
positioned as an alternative to "traditional" Anonymous Call Blocking (ACB).
I've discussed ACB and its problems in this Forum in the past. ACB forces
callers to disclose the number they are calling from (and often the name
associated with that phone account) in order to complete a call. Since
anybody can be making a call using any phone, CNID data really only provides
information regarding where the person is who is calling, not who the
person is.
Ameritech's Privacy Manager, like Anonymous Call Blocking, is being publicly
positioned as an anti-telemarketing service (this despite the fact that
Ameritech itself does its own telemarketing). Instead of simply blocking an
unidentified call as ACB would, Privacy Manager diverts the caller to a
recording which asks them to vocally identify themselves. If they don't
respond, the system terminates the call. If the caller provides some vocal
input, the system then rings the subscriber, and plays the brief recorded
caller input. The subscriber can then choose to accept the call, reject it,
or reject and play a recording ordering the caller to put the subscriber on
their permanent no-call list. A no-answer condition results in the caller
being diverted to voicemail. I assume that the caller isn't charged for the
call unless there is acceptance or diversion to voicemail, even with the
longish holding times that could result, but this isn't clear from available
information right now.
The service has some interesting aspects, and some obvious problems. Would
subscribers who are so hot under the collar about unidentified calls in the
first place even want to have such calls ringing them for their decision?
It seems likely that most such persons would choose anonymous call blocking,
where available, even though it is a fundamentally flawed concept in most
respects. And even though Ameritech claims the "put subscriber on your
no-call list" recording is legally binding, one has to wonder how effective
such a mechanism would be in the face of the large amounts of phone number
"churn" that characterize most areas today--numbers are constantly changing
hands.
All that having been said, the Privacy Manager concept (which Ameritech is
trying to patent, by the way) has one significant positive aspect. It does
provide a way for callers to identify themselves rather than the phone
number and/or account name where they are calling from. One of the main
arguments against calling number ID is that it forces the caller to reveal
unlisted numbers, internal numbers, or the location where they are at the
moment (doctor's office? Friend's house?) This is information which is
typically none of the business of the person being called. But Privacy
Manager, by allowing for a vocal identification instead of a number/account
name ID, avoids this particular problem.
Whether people will really be willing to continue paying more and more fees
for these various Caller ID features remains to be seen. As I mentioned,
Caller ID services are often marketed primarily as a telemarketing blocking
service. It appears certain that many telemarketers will react by simply
unblocking their IDs, and perhaps calling from outgoing lines which aren't
answered for incoming calls and/or are associated with innocuous sounding
account names. In the long run, such actions would render much of the
promoted value of Calling Number ID for telemarketing blocking largely moot.
It's clear that the various battles regarding Caller ID are still really
only in their infancy.
--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com
------------------------------
Date: Sat, 26 Sep 98 20:25 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Drivers' Licenses and Social Security Numbers Update
Greetings. Back in PRIVACY Forum Digest V07 #13;
(http://www.vortex.com/privacy/priv.07.13), I reported on the proposal by
the National Highway Traffic Safety Administration (U.S. Department of
Transportation) to impose a number of requirements relating to Social
Security Number collection/verification/display for state-issued drivers'
licenses. It now appears that reaction to this proposal from most state
officials has been quite negative. In light of this and other concerns,
even the American Association of Motor Vehicle Administrators (AAMVA) which
has supported the plan, has announced that it is rethinking its position,
and the comment period for the proposal has been extended to Oct 2, 1998.
The general consensus is that the plan is now unlikely to move forward in
its current form. Of course, interested parties should continue to make use
of the comment period to make their feelings known on all sides of this
issue.
--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com
------------------------------
Date: Sat, 26 Sep 98 20:34 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Netscape Privacy Update
Greetings. The saga regarding privacy issues relating to Netscape
Communicator versions 4.0.6 and the 4.5 pre-release continues.
I've discussed this previously in PRIVACY Forum Digest V07 #14 and #15;
(http://www.vortex.com/privacy/priv.07.14, and
http://www.vortex.com/privacy/priv.07.15).
As you may recall, in our last chapter I reported a serious communication
problem I was having with Netscape--the inability to get further responses
from them regarding these privacy issues after an initial conversation. I'm
pleased to report that I am now back in contact with Netscape managers with
appropriate levels of responsibility and focus, and I hope to soon have new
substantive information about the privacy matters I've previously discussed.
In the meantime, an apparently valid e-mail address for sending
privacy-related concerns to Netscape has now surfaced: privacy@netscape.com.
Unlike some previous addresses provided to me by Netscape, I have been
assured that this address will not result in an automated response, and that
it is regularly read by a live human being!
I'll of course be reporting back as information and developments warrant.
--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com
------------------------------
Date: Thu, 17 Sep 1998 10:17:08 -0700 (PDT)
From: gary marx <gmarx@linknet.kitsap.lib.wa.us>
Subject: Surveillance Article in "The Information Society"
The following article appearing in "The Information Society," July-Aug. 1998
and available on the web page below may be of interest to subscribers.
"Ethics for the New Surveillance"--The abstract follows:
The Principles of Fair Information Practice are almost three decades old
and need to be broadened to take account of new technologies for
collecting personal information such as drug testing, video cameras,
electronic location monitoring, and the Internet. I argue that the ethics
of a surveillance activity must be judged according to the means,
the context and conditions of date collection, and the uses/goals, and
suggest 29 questions related to this. The more one can answer these
questions in a way that affirms the underlying principle, the more ethical
the use of a tactic is likely to be. Four conditions are identified that,
when breached, are likely to violate an individual's reasonable
expectation of privacy. Respect for the dignity of the person is central
factor and emphasis is put on the avoidance of harm, validity, trust,
notice and permission when crossing personal borders.
Gary T. Marx
home page: http://socsci.colorado.edu/~marxg/garyhome.html
------------------------------
Date: Mon, 7 Sep 1998 22:17:27 -0400 (EDT)
From: David Lesher <wb8foz@nrk.com>
Subject: Huntington Bank Policies
Huntington Banks sent around a "Customer Information Privacy
Statement"...
They claim "Your Privacy is the Huntington's Priority"
but:
one exception to their "we won't" is sec. 6.4: If the
customer does not opt out....
another is "It is commonplace {....} to share information
with customer reporting agencies." {This appears to mean
credit rumor agencies...}
And they discuss how they will use your data internally,
semi-internally, & externally, unless you complain.
They also give an address {POB 1558 43216} to write to, but it
appears you must write 4 or 5 separate letters to cover all the
ways they admit your privacy is NOT their priority.
You can call 800-294-5809 to discuss this with them. Don't do so
from home, though....
[ That's an (unfortunately) pretty typical situation.
I really wouldn't be too concerned about calling them from
home--odds are your home phone number is already on any
number of bank documents. I would seriously doubt that
any "capture" of caller ANI phone number data would be
used in this sort of situation.
-- PRIVACY Forum Moderator ]
------------------------------
Date: Sun, 6 Sep 1998 10:18:38 -0700 (PDT)
From: dkulp@cse.ucsc.edu (David Kulp)
Subject: Cookies
The cookie "problem" has come up often in privacy discussions. While
it is wise to be aware and in control of the distribution of private
information, it is worth noting that the cookie technology is nothing
really new. To be precise, a user's "movement" through a web-site may
be tracked without the use of cookies (by embedding state information
in URLs), but using cookies is an easier way of tracking such
information. This includes common conveniences such as remembering
passwords, recently entered information, previously visited pages,
etc.
What cookies offer in addition to URLs is the ability to track the
same user from visit to visit. The state information that a site
embeds in URLs is lost when a site is revisited, but a cookie is
retained between visits. (A user can essentially thwart this by
regularly removing their cookies file.)
In any case, arbitrarily accepting cookies is likely a waste of time.
Intuitive guessing about accepting or rejecting a cookie named
"advertisingtracker" (malicious, intrusive) versus one called
"lastlookupcitystate" (convenient) in no way guarantees the proper use
of your personal information. Furthermore, accepting cookies from the
same site as the page being viewed and rejecting cookies from other
sites (a preference option for Netscape Navigator), does not keep site
administrators from sharing your information with another site. For
example, a recent news article announced the collaboration among
several internet sites with plans to share tracking data.
In summary, cookies offer no major advance in personal information
monitoring compared to other "server-side" methods that cannot be
controlled by the user. Arbitrary filtering of cookies is not
particularly effective. Other methods exist for tracking user trends
among multiple sites that do not use cookies. Therefore, a privacy
advocate's concern should be directed foremost to the establishment of
privacy policies for all sites, and less emphasis on the cookie
technology itself.
David Kulp
ps. An authoritative bulletin from the Computer Incident Advisory
Capability can be found at
http://www.ciac.org/ciac/bulletins/i-034.shtml
------------------------------
End of PRIVACY Forum Digest 07.16
************************